list of all area businesses; the response rates were 55% for childcares, and 26% for medical practices- not including thehospitals. Parents were recruited through listservs, flyers, andcompany newsletters. The only incentives provided to participatewere offered to parents; parents were paid ten dollars.Grounded theory was used for analysis. Grounded theory is amethod of evaluating ethnographic data through the use of codes by sorting findings into “themes”. Themes then inform theresearch as data findings. (See  for a thorough explanation.) Alldata from the studies were coded by at least two researchers.
Human-Mediated Information Monitoring
The central nucleus of information being stored and managedabout a patient or a child is located in their file. The centers in our studies kept the files in expansive filing shelves, or in filingcabinets. The location of the director’s office was either in thesame space as the files, or directly next to the files. Indeed,accessing, searching, and managing the files is a large part of therole of the director. However, the role of director also extends tomediating the access and use of the files by others in the center.In the case of childcares, there are instances when teachers or parents want to be able to look at a file. One director said, “Whena teacher comes in and wants access to a file they have to comethrough me first and they have to tell me their reason basically,you know, why do you need to go in there?” This director isexplaining how she monitors access to the files in a method that ismore than simply checking access rights to information. She isadditionally checking the teacher’s goal, which extends intomanaging information privacy. The director’s function is tomediate the information seeker’s goal in a way that is flexible,negotiated, and determined in a case-by-case fashion to best balance the need for information for work with need to keepinformation private.
Information Redundancy as a Form of Security
Beyond the physical file containing information about a child or patient, there is information kept in other locations. From asecurity perspective having only one instance to protect is thesimplest case. When information, however, becomes dispersed to better support individual practice, security becomes more difficultto manage due to numerous access points.In both medical and child practices there were instances whereinformation was outside the file. These include having a physicaland an electronic file, having a file for billing and a file for medical history, having files for one patient between two medicalcenters, having information on hand in different spaces, andhaving electronic copies stored in an off-site location. Onedirector explains duplicating information in multiple officelocations, “We fax patient information back and forth... Thathappens hundreds of times a day…. Always with the bigdisclaimer this is medically protected information, and this isintended for so-and-so only.” She explains that someone then filesthe appropriate information and the remainder is shredded. Thisduplication of information functions to make sure that informationis ready at hand when necessary for work and ensures that if theinformation is lost it is reproducible. Understanding whatinformation is going to be kept in what space or form, and whohas access to those instances is something that is determined bythe function of the information and also the context surroundingthe information use.
Community of Trust
To balance the need for access to information with the need tokeep information secure, communities of trust were created withinthe centers we studied. One aspect of security that we asked aboutwas the use of passwords. Computers, when used for accessing patient information, were generally in the director’s space, or thedoctor’s office. Of those medical centers that used electronicsystems, only seven (29%) had individual passwords. When askedwhy, a director said, “They can access anything. That’s their job.”This statement emphasizes that to be able to do the work requiredfor the job, levels of security have to become normalized tofunction. Another example comes from the locking of physicalfiling cabinets. It is the official policy that filing cabinetscontaining files should be locked when the director is absent:“[files are] all kept in here in a cabinet that's locked when I’m nothere and the door is locked as well.” The use of a key was,however, never observed.These examples are not work-around security practices. They are,instead, examples of how communities establish and negotiatewhat needs to be made secure. It is a demonstration of contextualintegrity  playing its role in facilitating communities of peopletrusting one another in situ.
Discussion and Design Implications
Security and work practices are not in conflict with one another.What our research has demonstrated is that practice is what isenacted after security rules are put in place. It is through creatinga community that values security, that the rules can be understood.At this stage we are starting to develop the tentative designimplications for creating security solutions. The first involvesunderstanding how a person-based and space-based hub of information can still function as a secure place if and when files become electronic. Will people still work through the human-mediated monitoring of the files? It is our belief that one personwill still work close with the file system and allow people limitedtemporary and decaying access. Access should be negotiated, as itis now, to still support community standards. The second designimplication is that of reciprocity in knowing whom and when a patient or child’s files are being accessed; if you can see my files,I should at least be able to see your information. Additionally, astechnology use grows electronic systems should not obfuscate thecommunity standards so that the community of trust can continueto function.Overall, the major implication for our findings is that electronicand physical security should be flexible to represent the shiftingcontext of access and management of information.
CONCLUSIONS & CONTRIBUTION
Though our preliminary studies of child and health care practiceswe have shown that there is a balance between needing to getwork done with needing to keep information secure. Three themeswere explored to demonstrate how this balance is negotiated in practice to create functioning secure work places. We believe thatour approach, while preliminary, offers valuable insight tofurthering research on how understanding practice affects thedesign of secure systems.
Bellotti, V. and A. Sellen. Design for Privacy in UbiquitousComputing Environments. in Proceedings of the ThirdConference on European Conference on Computer-